[英]Adding a custom filter to authentication process in Spring Security
现在,我的身份验证已使用用户名和密码完成。 我想再添加一个步骤,以便它检查用户是否被激活。 我有一个用户表,如果用户已激活帐户,该表将保存值。
我有我的SecurityConfig.java
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
// This somehow works but only if the account is not validated
// auth.authenticationProvider(new UserActivatedAuthenticationProvider(userService));
auth.userDetailsService(userDetailsService).passwordEncoder(new ShaPasswordEncoder(encodingStrength));
}
和UserActivatedAuthenticationProvider.java
@Component
public class UserActivatedAuthenticationProvider implements AuthenticationProvider {
private final UserService userService;
@Autowired public UserActivatedAuthenticationProvider(UserService userService) {
this.userService = userService;
}
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
String name = authentication.getName();
User user = userService.findByEmail(name);
if (user != null) {
if (!user.isActivated()) {
throw new BadCredentialsException(name + " email is not activated.");
}
}
Object credentials = authentication.getCredentials();
if (!(credentials instanceof String)) {
return null;
}
String password = credentials.toString();
Authentication auth = new UsernamePasswordAuthenticationToken(name, password);
return auth;
}
@Override
public boolean supports(Class<?> authentication) {
return authentication.equals(UsernamePasswordAuthenticationToken.class);
}
}
我只想在激活帐户后才继续进行身份验证。 由于无法获取用户名,因此无法在AuthenticationManagerBuilder
使用userService
。 我正在将该项目用作种子。 简而言之...我还想检查is_activated
列的值,并像现在一样基于该值进行操作(用户名和密码验证)。
你并不需要一个AuthenticationProvider
。 您需要实现UserDetailsService
如下;
@Service
public class MyUserDetailsService implements UserDetailsService {
@Autowired
private UserService userService;
public UserDetails loadUserByUsername(String username)
throws UsernameNotFoundException {
User user = userService.findByEmail(username);
if(user == null) {
throw new UsernameNotFoundException(username);
}
return org.springframework.security.core.userdetails.User(username, user.getPassword(), user.isActivated(), true, true, true, user.getRoles().stream().map(role -> role.getRoleName()).map(SimpleGrantedAuthority::new).collect(Collectors.toList()));
}
}
弹簧类org.springframework.security.core.userdetails.User
作为属性命名enabled
的,你可以通过你的user.isActivated()
从数据库标志。
您可以通过提供自定义的用户信息服务做到这一点。
@Autowired
private CustomUserDetailsService customUserDetailsService ;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(customUserDetailsService ).passwordEncoder(new ShaPasswordEncoder(encodingStrength));
}
和
@Service
public class CustomUserDetailsService implements UserDetailsService {
@Autowired
private UserService userService;
public UserDetails loadUserByUsername(String username)
throws UsernameNotFoundException {
User user = userService.findByEmail(username);
if(user == null) {
throw new UsernameNotFoundException(username);
}
Set<GrantedAuthority> authorities = new HashSet<GrantedAuthority>();
GrantedAuthority grantedAuthority = new SimpleGrantedAuthority("USER");
authorities.add(grantedAuthority);
return org.springframework.security.core.userdetails.User(username, user.getPassword(), user.isActivated(), true, true, true, authorities );
}
}
现在,基于第三PARAM的布尔值,春季安全会自动允许/拒绝用户登录,并且还会为用户如果没有激活邮件“被禁用的用户”。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.